Digital Forensics

It's all about asking the right questions

We use forensic science to find accurate answers. It's about determining the who, what, why, where, when and how

Digital forensics (sometimes referred to as computer forensics or cyber forensics) is an established forensic science that deals with the identification, examination and analysis of digital evidence to prove or disprove a matter for legal purposes. It is a highly technical scientific discipline drawn from various computing disciplines, including applied mathematics, computer science, information systems, and information technology engineering. While many of the founders of the discipline came from a law enforcement background, the discipline has evolved from these origins into a fully-fledged forensic science.

The Digital Forensics Process

1. Digital Evidence Identification & Legal Authorisation

​The first step in the digital forensics process is to identify potential sources of digital evidence. We have been trained to help you identify where the most relevant information will be found. We understand that the electronic evidence is very volatile in nature and as such time is not on your side. Therefore, the effectiveness of identifying the relevant media to obtain is a crucial part of a successful investigation.

Equally important to identifying potential sources of digital evidence is ensuring that we have all the legal authorisation necessary for the digital forensics process. We have significant experience in interacting with the legal system in criminal and civil courts, and in administrative legal environments.

We understand the evidential requirements in the law of evidence, and as such we ensures that all digital forensics work to be done is conducted strictly in terms of the letter of the law, and taking into account the requirements of the Bill of Rights. To this end, we work with our clients to ensure that the proper legal processes are in place and used. We will not engage without this.

2. Digital Evidence Preservation & Acquisition

​
​The second step in the digital forensics process it to preserve the digital evidence in a forensically valid manner (also known as forensic acquisition). This is perhaps the most crucial aspect of the entire digital forensics process, which if done incorrectly may render any evidence obtained inadmissible in court.

Our digital forensics acquisition processes are fully compliant with the ISO 27037 standard for the identification, collection, acquisition, and preservation of digital evidence. All of the hardware and software tools that we utilise in these processes are tested and scientifically calibrated and validated to ensure that they are functioning correctly. All of this ensures the integrity of our forensic processes meets the highest standards, ensuring the reliability of the digital evidence in court.

3. Forensic Examination of the Digital Evidence

​
The third step in the digital forensics process is the examination of the digital evidence. Based on the questions that need to be answered, we will process the digital evidence preserved, recovering deleted and fragmented data, and reconstruct data, to identify files and other data that is relevant to the matter at hand.

In essence, this answers the “what” question by identifying the relevant digital evidence. This also often reveals additional investigative leads which can enhance the investigation process. We work closely with our clients to refine the examination as the case develops to ensure the most effective approach to identifying relevant digital evidence.

4. Forensic Analysis of the Digital Evidence

​
The multifaceted and complex nature of digital evidence can be used to prove more than simply the existence of a particular file contained on a computer, smartphone, or other device. So many digital forensics processes end prematurely by only finding files on the media examined. If examination answer the “what” question, then analysis answer “who”, “when”, “where”, “why”, and “how”. The forensic analysis of relevant digital evidence allows us to interpret the digital evidence fully. This further allows us to:
​

Reconstruct what events have taken place

Determine where particular evidence comes from

Determine when particular evidence was created

Determine who created, accessed, modified or interacted with the evidence

Determine how particular software or executable code functions

Determine the nature of modifications to particular evidence

The forensic analysis of digital evidence is what gives real legal and scientific value to the digital evidence. Cases that only make use of files found during the examination process without placing them into context and interpreting them through analysis, do not make use of digital evidence to its full potential.

5. Reporting & Testifying

​
The final stage of the digital forensics process. We have extensive experience in testifying in courts at all levels as technical and scientific expert witnesses, and presenting our findings in affidavits or reports.

We communicate our findings objectively and scientifically, in a manner which allows complex technical, digital forensics and cybercrime concepts to be understood by the audience that we are communicating to. We do not believe in trying to over-complicate the evidence to confuse the audience to avoid being effectively questioned about our findings.

We specifically address the investigative and legal questions that we have been tasked to resolve in a manner that is not only understandable, but also meets acceptable legal standards for use in a court of law. Perhaps more importantly: we do not charge our clients to testify, as that is our duty to the legal processes that arise from the work we do.

Whether a matter that has been investigated is ultimately resolved in a criminal court, a civil court, or in an administrative hearing, digital forensics is a crucial discipline to ensure that any digital evidence used has legal value, and that the correct interpretation thereof leads to the truth